This repository allows to create Digital Ocean 512m droplet running Ubuntu 16.04, and then install Strongswan
Strongswan is configured to accept remote-access IPSEC VPN IKEv2 connections, with the following transform sets:
- IKEv2 transforms:
aes256-sha256-modp1024IOS 9+ for Apple iPad, iPhone and etcaes256-sha1-modp1024Win 73des-sha1-modp1024OS X
As authentication is used PSK (shared-key). PSK is being generated using Terraform resource random_id", e.g.
resource "random_id" "ipsec_key" {
byte_length = 32
}
That ensures that PSK will be unique every time and cryptographically random.
Strongswan configuration is defined within https://github.com/murat1985/dovpn/blob/master/init.sh script.
As pre-requesits you need the following:
- Have Terraform installed, OS X/Linux/Windows/FreeBSD are supported
- Clone this repository:
git clone https://github.com/murat1985/dovpn
- Generate Digital Ocean Token
- Create environment variables:
export TF_VAR_do_token=digital_ocean_token
export TF_VAR_ssh_key=~/.ssh/id_rsa.pub
export TF_VAR_domain_name=mydomain.invalid
export TF_VAR_droplet_name=mydroplet
We assume that you have a domain name, and it is deligated to Digital Ocean nameserver otherwise you can slightly modify TF template. Having domain is better as you can refer your VPN server by domain name without changing IP address.
Change directory to cloned repository:
cd dovpn
Run terraform commands, check that output is correct and expected:
make plan
Create a droplet:
make apply
Destroy configuration:
make destroy
Get PSK key from the output, we are using hex format, so you need to grep hex
terraform show
Configure your device accordingly:
- Add Xauth support
- Extract some variables to environment
- Dockerise ?
You probably want to fork this repository to make required alterations, also init.tpl script
is downloading init.sh from this repository
probably you want to change it to yours. The script url will be exctracted in future.